The perception of Apple (which is what the stock value reflects) is dependent on the health of one man. While this is a concern, it is not the same as the company itself being dependent.
I fail to see the problem. Title IX merely requires that the school allocate equal funding for both men's and women's sports, which makes plenty of sense to me. It says nothing about team size or entry requirements. It doesn't say that women should be allowed to participate in men's sports or vice versa. If a school has to disband a sports team because they can't make the numbers work for both genders, that's fine by me. It'll get the athletes back in the classroom, which is what college was intended for in the first place and free up some money for actual education, you know, that thing kids are supposed to get at college.
Seriously, Vista is slow because there are more libraries and thus more disk seek time? Give me a break. That's an utterly trivial performance implication. Once a library is loaded into memory, it can be referenced and used without spinning up the god damn hard disk again. That's a trivial optimization that Microsoft has almost certainly made by this point. You're looking at some applications taking a little longer to launch if they haven't been launched for a while. Vista's perceived slowdown is more likely due (at least in part) to virtualizing the GPU address space and inserting another layer of abstraction. Instead of allowing applications direct access to the GPU's memory, the memory is now virtualized and backed by main memory, which is backed by the disk drive. GPU memory became swappable. There were very good engineering reasons for doing this. Microsoft gave up performance for stability, and it was the right decision. (If memory serves, you could get "out of memory" errors in XP if an application requested too much memory from the GPU.)
And his claim that Cocoa on Mac OS X is somehow more "native" than Cocoa is just stupid. Carbon may be being phased out, but it certainly doesn't go through any additional interpretation layers. If anything, Carbon is lower-level than Cocoa, and many Cocoa APIs are wrappers around Carbon APIs. It all compiles down to the same assembler. Where Cocoa and Carbon differ is expressiveness, and that comes from the choice of language, not some artificial design constraint on Carbon.
Really, who is this clown, and why is he considered an authority on software development?
You mentioned that you're into Objective-C. That's a rarity, and because of the timing, you've got an opportunity to get a head start on an emerging market: iPhone development. So write an iPhone app over the Summer and sell it on the app store. You could start raking in some money from it, and if people really like it, you won't have too much trouble parlaying that into a job somewhere.
According to DaringFireball, the vulnerability was in PCRE. So your baseless speculation (that the vulnerability was in Safari's URL bar) was completely wrong. And by the way, lots of other Unix software uses the PCRE library, so this vulnerability's scope is probably not just constrained to Safari and probably exists in Linux distros as well (maybe even somewhere in Ubuntu, depending on the version they're using).
If Apple officially allowed the existence of jailbreak, with the caveat that you would lose all software support outside of "restore the iPhone to its original software load," none of this would be an issue.
That's pretty much the existing policy. Apple won't go out of their way to hinder jailbreaking efforts, but they won't support them or test iPhone updates against jailbroken phones either.
I'll make an educated guess and say that he didn't obtain root privileges. Executing arbitrary code in Safari's user process gets you the same privileges that Safari was running under. Had he gone on to use his access to further compromise the system and gain root privileges, I imagine that would have been worth noting in the article, since it would have required exploiting another 0-day vulnerability in a system daemon running as root.
Particularly given that it doesn't require any special credentials to get bugtraq email.
Okay, so where's the Bugtraq submission for this vulnerability?
That said, I don't doubt that the exploit had to chain-load it's way to higher privileges, that's entirely possible.
You don't even know if the vulnerability allowed for privilege escalation. The contest rules only specified that the exploit had to read a file. It made no mention at all of the access mode of that file.
I imagine it went somethign like:
Safari visits site, crashes, executes remotely supplied code.
Remotely supplied code then exploits local vulnerability to gain super-user privileges.
Game over.
Why would you imagine this? Only one vulnerability was reportedly exploited, and only one vulnerability was reported to Apple. You're just making things up.
Local vulnerabilities are a problem, and one that pretty much all OS's have, osX, linux or windows.
My general point at the start of this thread is that these days, users are still the easiest vector in.
That's been true of virtually every form of security for as long as anyone can remember. Physical penetration testers (people hired to break into secured buildings) have routinely found that cigarette smokers are the easiest way in because they come out in groups through back entrances. The tester, in this case, just walks back inside with them. Social engineering didn't start with Kevin Mitnick. It's been around for a very long time.
No, it's totally baseless. The parent has no clue where the vulnerability is; he's just assuming that it's a problem with the Safari UI code and not in WebKit (or one of the other libraries that WebKit uses) because it derives from KHTML, which according to him, must be secure because it's been around longer or was written with "security in mind" or something. Either way, he's got absolutely no basis for that statement.
That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down.
There is no provision in the POSIX standard for what a Unix desktop is supposed to look like. There are provisions for thread behavior, system calls and system commands. X11 is not a part of Unix. Mac OS X fully complies with the POSIX standard, so it is a Unix.
It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.
It doesn't just "resemble" Unix; it conforms to Unix.
OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.
You know the details of the security vulnerability? I thought no one was supposed to talk about it.
We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.
So the fact that the target machine couldn't be compromised remotely, despite being the "new kid on the block", means nothing?
Overall, you're arguing about two different things. There's security by design, and then there's secure implementation. It seems like you're claiming that an operating system that's secure by design will, somehow, have fewer implementation flaws. That's not true. Good design is there to mitigate the damage that can be done by exploiting a vulnerability, not to make vulnerabilities disappear. The presence of vulnerabilities in code does not necessarily indicate that that code is insecure by design. The scope of damage that those vulnerabilities can cause, however, is an indication of the design's security.
And I haven't actually been able to find an indication of the scope of this particular vulnerability. All I can see is that contestants had to read a "designated file", with no indication as to the access mode of that file. If it was just a regular, user-owned file, this is a pretty run-of-the-mill buffer overflow in a userland application. If it, somehow, allowed the attacker to gain root privileges, then that's a much bigger problem.
You're referring to MPEG, which is not equivalent to QuickTime. However, the file format license does bear out your claims. It is a proprietary format; it just happens to be fully publicly documented.
The WebKit folks have scored 100/100 on the test. But in the process of making WebKit conform, they found a bug in the test itself that would have forced a violation of the SVG standard to pass, so it wasn't possible to get a valid 100/100 on the test. That renders Opera's score invalid, and they're back to 99/100.
According to the WebKit people, though, this doesn't actually mean they've passed because the animation may not be as smooth as it's supposed to be. But the rendering itself matches the reference rendering perfectly.
No, you don't write code only once. You revise it, over and over again. If you suddenly changed your mind and wanted the opposite behavior (like, if you changed m_allowFontSmoothing to m_disableFontSmoothing), you'd have to change two lines and two constants instead of just replacing an exclamation mark with an equal sign. Generally, the fewer places you manipulate a variable, the better. And avoiding unneeded branching is generally a good thing, too.
In the first example, you're expressing a relationship between two variables in one line, containing one assignment and one comparison. In the second, you are using one comparison, two assignments and branch. It's less efficient, and the relationship isn't as explicit.
QuickTime is fully documented, and anyone is free to implement it. That's pretty open to me. Aside from that, the obvious connotation of "proprietary" among the geek crowd is something that is completely closed and secret. QuickTime is not what proprietary colloquially implies. Apple does not keep the format secret to leverage against competitors.
It doesn't matter if they're a monopoly or not. They have market power. Their demand curve is slanted; thus they can charge above marginal cost for their hardware & software, meaning it is not a competitive market.
And yet, you can get an iPod shuffle for $50, and DRM-free songs on iTunes cost the same as DRM'ed songs.
Daniel 4:7-8 is a key verse here: "I saw a tree of great height at the center of the world. It was large and strong, with its top touching the heavens, and it could be seen from the ends of the earth."
A tree at the center of the earth that could touch the sky and be seen from all "ends" of the earth pretty much implies a flat earth.
It says that the world cannot be moved, but you can interpret that any way you like.
How about I interpret it to mean "The earth cannot be moved"? Why should anyone interpret the passage to mean anything other than what it says? If it came out tomorrow that all the astronomers were wrong and that the earth is the center of the universe, the Bible thumpers would point to the Bible and say, "Ah hah! It was right all along!" Whereas when it's shown that the earth is not the center of the universe, they say that we were just "misinterpreting" the Bible all along. (This implies that we need science to tell us how to correctly interpret the Bible. It provides empirical explanations that make sense, and then the religious people find creative ways to "interpret" certain passages so that they agree with those explanations.) The whole mess rests on the notion of biblical infallibility, which is just silly.
Really? That's a rather extreme, and in fact logically unsupportable hypothesis.
Really? How so? It's a direct consequence of the mechanism of natural selection. If the environment determines which members of a population survive to reproduce, then there is no "perfect state", since environments can and do change. What makes an organism thrive in one environment could kill it in another. This shouldn't come as a surprise to anyone with engineering experience. There are always trade offs.
It would be better to say that any concept of a "goal state" is extraneous and unnecessary to either fitting existing facts to the theory or predicting new ones from it.
That is not correct. To be extraneous, the concept would have to have no effect of the theory's capacity to predict (like the intelligent designer addition). The stipulation that there is no goal state is a consequence of evolution's mechanism. If we were to entertain that there is a perfect goal state, that would mean that a species could evolve via natural selection to thrive in any environment, even ones that it hasn't encountered. Since evolution is driven by the environment around a species, and many environmental characteristics are mutually exclusive (an environment cannot be both arctic and tropical at the same time), you get a contradiction.
Humans can survive in a wide range of climates and environments due to our ability to use tools, but we can't survive anywhere, and without our tools, we are severely handicapped in terms of raw strength, speed and reproducibility. (Humans females have a pregnancy period of 9 months, which severely inhibits reproductive capacity.)
So the Pope provided a model for the afterlife that made falsifiable predictions, has been tested and revised to agree with observation? Because that's what "working scientifically" means. Whatever it is that the Pope does, it sure as hell isn't scientific. He might know how to quote dusty old tomes written by scientifically ignorant nomads thousands of years ago, but that's not scientific.
Faith and science, if considered correctly, will NOT contradict each other, because truth is truth no matter how you find it.
Science doesn't reveal "truth". Truth is unattainable via empirical means. Science can only provide models for reality that can be very accurate but never considered absolutely true. Science is concerned with the real world. Religions are concerned with something else entirely. That something else (afterlife, reincarnation processes, magic, whatever) cannot be described empirically. So religions provide their own descriptions of this something else that are essentially arbitrary. You can't objectively falsify one religion or validate the predictions of another, so there is no useful modeling that can happen. Nor can you prove one religion to be true through logical processes, so there is no truth in religion either. There is personal or communal certainty, but that is a far, far different animal from truth.
Truth is found in mathematics and logical systems.
Slashdot Mirror
The perception of Apple (which is what the stock value reflects) is dependent on the health of one man. While this is a concern, it is not the same as the company itself being dependent.
I fail to see the problem. Title IX merely requires that the school allocate equal funding for both men's and women's sports, which makes plenty of sense to me. It says nothing about team size or entry requirements. It doesn't say that women should be allowed to participate in men's sports or vice versa. If a school has to disband a sports team because they can't make the numbers work for both genders, that's fine by me. It'll get the athletes back in the classroom, which is what college was intended for in the first place and free up some money for actual education, you know, that thing kids are supposed to get at college.
... the governor of Louisiana is one of the front-runners for McCain's VP spot. The guy famously wrote that he was part of an exorcism and thinks that intelligent design is viable science. He's a real fucking nut-case.
Seriously, Vista is slow because there are more libraries and thus more disk seek time? Give me a break. That's an utterly trivial performance implication. Once a library is loaded into memory, it can be referenced and used without spinning up the god damn hard disk again. That's a trivial optimization that Microsoft has almost certainly made by this point. You're looking at some applications taking a little longer to launch if they haven't been launched for a while. Vista's perceived slowdown is more likely due (at least in part) to virtualizing the GPU address space and inserting another layer of abstraction. Instead of allowing applications direct access to the GPU's memory, the memory is now virtualized and backed by main memory, which is backed by the disk drive. GPU memory became swappable. There were very good engineering reasons for doing this. Microsoft gave up performance for stability, and it was the right decision. (If memory serves, you could get "out of memory" errors in XP if an application requested too much memory from the GPU.)
And his claim that Cocoa on Mac OS X is somehow more "native" than Cocoa is just stupid. Carbon may be being phased out, but it certainly doesn't go through any additional interpretation layers. If anything, Carbon is lower-level than Cocoa, and many Cocoa APIs are wrappers around Carbon APIs. It all compiles down to the same assembler. Where Cocoa and Carbon differ is expressiveness, and that comes from the choice of language, not some artificial design constraint on Carbon.
Really, who is this clown, and why is he considered an authority on software development?
You mentioned that you're into Objective-C. That's a rarity, and because of the timing, you've got an opportunity to get a head start on an emerging market: iPhone development. So write an iPhone app over the Summer and sell it on the app store. You could start raking in some money from it, and if people really like it, you won't have too much trouble parlaying that into a job somewhere.
According to DaringFireball, the vulnerability was in PCRE. So your baseless speculation (that the vulnerability was in Safari's URL bar) was completely wrong. And by the way, lots of other Unix software uses the PCRE library, so this vulnerability's scope is probably not just constrained to Safari and probably exists in Linux distros as well (maybe even somewhere in Ubuntu, depending on the version they're using).
Yes, and after that, they'll kill all the Jedi after turning the Republic into an Empire.
I'll make an educated guess and say that he didn't obtain root privileges. Executing arbitrary code in Safari's user process gets you the same privileges that Safari was running under. Had he gone on to use his access to further compromise the system and gain root privileges, I imagine that would have been worth noting in the article, since it would have required exploiting another 0-day vulnerability in a system daemon running as root.
No, it's totally baseless. The parent has no clue where the vulnerability is; he's just assuming that it's a problem with the Safari UI code and not in WebKit (or one of the other libraries that WebKit uses) because it derives from KHTML, which according to him, must be secure because it's been around longer or was written with "security in mind" or something. Either way, he's got absolutely no basis for that statement.
Overall, you're arguing about two different things. There's security by design, and then there's secure implementation. It seems like you're claiming that an operating system that's secure by design will, somehow, have fewer implementation flaws. That's not true. Good design is there to mitigate the damage that can be done by exploiting a vulnerability, not to make vulnerabilities disappear. The presence of vulnerabilities in code does not necessarily indicate that that code is insecure by design. The scope of damage that those vulnerabilities can cause, however, is an indication of the design's security.
And I haven't actually been able to find an indication of the scope of this particular vulnerability. All I can see is that contestants had to read a "designated file", with no indication as to the access mode of that file. If it was just a regular, user-owned file, this is a pretty run-of-the-mill buffer overflow in a userland application. If it, somehow, allowed the attacker to gain root privileges, then that's a much bigger problem.
You're referring to MPEG, which is not equivalent to QuickTime. However, the file format license does bear out your claims. It is a proprietary format; it just happens to be fully publicly documented.
The WebKit folks have scored 100/100 on the test. But in the process of making WebKit conform, they found a bug in the test itself that would have forced a violation of the SVG standard to pass, so it wasn't possible to get a valid 100/100 on the test. That renders Opera's score invalid, and they're back to 99/100.
According to the WebKit people, though, this doesn't actually mean they've passed because the animation may not be as smooth as it's supposed to be. But the rendering itself matches the reference rendering perfectly.
No, you don't write code only once. You revise it, over and over again. If you suddenly changed your mind and wanted the opposite behavior (like, if you changed m_allowFontSmoothing to m_disableFontSmoothing), you'd have to change two lines and two constants instead of just replacing an exclamation mark with an equal sign. Generally, the fewer places you manipulate a variable, the better. And avoiding unneeded branching is generally a good thing, too.
In the first example, you're expressing a relationship between two variables in one line, containing one assignment and one comparison. In the second, you are using one comparison, two assignments and branch. It's less efficient, and the relationship isn't as explicit.
QuickTime is fully documented, and anyone is free to implement it. That's pretty open to me. Aside from that, the obvious connotation of "proprietary" among the geek crowd is something that is completely closed and secret. QuickTime is not what proprietary colloquially implies. Apple does not keep the format secret to leverage against competitors.
No, it doesn't.
/Applications/iTunes.app/Contents/MacOS/
[durandal@Marathon]: ~$ cd
[durandal@Marathon]: MacOS$ otool -l iTunes | grep WebKit
[durandal@Marathon]:
QuickTime is not a proprietary format. It is fully documented, and the trailers are all encoded in h.264 and AAC.
I don't know if we're obsolete yet, but we're definitely going to be deprecated. How long we're kept around for legacy support is an open question.
A tree at the center of the earth that could touch the sky and be seen from all "ends" of the earth pretty much implies a flat earth. How about I interpret it to mean "The earth cannot be moved"? Why should anyone interpret the passage to mean anything other than what it says? If it came out tomorrow that all the astronomers were wrong and that the earth is the center of the universe, the Bible thumpers would point to the Bible and say, "Ah hah! It was right all along!" Whereas when it's shown that the earth is not the center of the universe, they say that we were just "misinterpreting" the Bible all along. (This implies that we need science to tell us how to correctly interpret the Bible. It provides empirical explanations that make sense, and then the religious people find creative ways to "interpret" certain passages so that they agree with those explanations.) The whole mess rests on the notion of biblical infallibility, which is just silly.
Humans can survive in a wide range of climates and environments due to our ability to use tools, but we can't survive anywhere, and without our tools, we are severely handicapped in terms of raw strength, speed and reproducibility. (Humans females have a pregnancy period of 9 months, which severely inhibits reproductive capacity.)
So the Pope provided a model for the afterlife that made falsifiable predictions, has been tested and revised to agree with observation? Because that's what "working scientifically" means. Whatever it is that the Pope does, it sure as hell isn't scientific. He might know how to quote dusty old tomes written by scientifically ignorant nomads thousands of years ago, but that's not scientific.
Truth is found in mathematics and logical systems.
People study films too. That doesn't mean every film student thinks that Star Wars actually happened.